Anomaly location identification device, anomaly location identification method, and program

ABSTRACT

An anomaly location identification device includes a determination unit configured to determine presence or absence of an anomaly by inputting part or all of information items output from a plurality of devices into an anomaly detection algorithm; a calculation unit configured to calculate, in response to a determination made by the determination unit that an anomaly is present, with respect to one of the information items, an index indicating a degree of contribution to the anomaly; and an identification unit configured to perform calculation by an analysis algorithm using a causal model receiving the index as input, to identify an anomalous device, to improve the precision and calculation speed related to identification of an anomaly location.

TECHNICAL FIELD

The present invention relates to an anomaly location identificationdevice, an anomaly location identification method, and a program.

BACKGROUND ART

When handling an anomaly in a communication system, it is important torapidly execute (1) anomaly detection, and (2) anomaly location/causeidentification, and for each of (1) and (2), various methods have beenproposed (e.g., Non-patent documents 1 to 7).

First, regarding (1), a method has been generally known thatindividually calculates the outlierness or the like for each device inthe system, by using observation information of the device, and if theoutlierness exceeds a threshold, determines it as an anomaly to raise analert. In this method, an anomaly detection method is applied to therespective devices independently; therefore, if an anomaly is detected,it is possible to identify which observation information item of whichone of the devices relates to the anomaly. Meanwhile, as in Non-patentdocument 6, a method has been proposed that determines the presence orabsence of an anomaly in the entire system from various observationinformation items in a system. This method determines an anomaly bytaking into consideration the correlation among the observationinformation items obtained in the entire system. However, in thismethod, only the presence or absence of an anomalous state in the entiresystem can be determined, and it is not possible to identify whichobservation information item of which one of the devices relates to theanomaly. In order to solve this problem, a method has been proposed thatuses an anomaly contribution degree calculation algorithm to calculatewhich observation information item contributes to an anomaly when theanomaly is detected (hereafter, referred to as “contribution degree”),and narrows down anomalous observation information items. This enablesto estimate the state of the observation information output by eachdevice while determining the anomaly of the entire system, and todetermine which observation information item is anomalous based on theresult of the anomaly detection method so as to take measures(Non-patent document 7).

Also, regarding (2), in the conventional anomaly location/causeidentification techniques, there are techniques such that the trafficvolume is alerted based on a threshold or the like, or by using an alertof syslog as the observation information, and based on a causalrelationship between a predetermined device state and the observationinformation, an anomaly location is identified. Thus, when alerts areissued from devices, one of the devices is identified as the anomalylocation. Based on this result, measures can be taken for the anomalousdevice.

RELATED ART DOCUMENTS Non-Patent Documents

-   Non-Patent Document 1: Srikanth Kandula, Dina Katabi, and    Jean-philippe Vasseur. Shrink: A tool for failure diagnosis in IP    networks. Proceedings of the 2005 ACM SIGCOMM workshop on Mining    network data, pages 173-178, 2005.-   Non-Patent Document 2: R. R. Kompella, J. Yates, A. Greenberg,    and A. C. Snoeren. IP Fault Localization via Risk Modeling. IEEE    Transactions on Dependable and Secure Computing, 7(4):1-14, 2010.-   Non-Patent Document 3: He Yan, Lee Breslau, Zihui Ge, Dan Massey,    Dan Pei, and Jennifer Yates. G-RCA: A Generic Root Cause Analysis    Platform for Service Quality Management in Large IP Networks.    IEEE/ACM Transactions on Networking, 20(6):1734-1747, 2012.-   Non-Patent Document 4: Yoichi Matsuo, Yusuke Nakano, Akira Watanabe,    Keishiro Watanabe, Keisuke Ishibashi, Ryoichi Kawahara, “Examination    of Technique for Estimating Cause of Atypical Failure”, IEICE    General Conference, B-7-35, 2017.-   Non-Patent Document 5: Hodge, Victoria J., and Jim Austin. “A survey    of outlier detection methodologies”, Artificial intelligence review    22.2 (2004): 85-126.-   Non-Patent Document 6: Mayu Sakurada and Takehisa Yairi, “Anomaly    detection of spacecraft by dimension reduction using autoencoder”,    Proc. of national convention of the Japanese Society for Artificial    Intelligence 28, 1-3, 2014-   Non-Patent Document 7:

Ikeda, Ishibashi, Nakano, Watanabe, Kawahara, “Inferring causalparameters of anomalies detected by autoencoder using sparseoptimization”, IEICE Technical Report, vol. 117, no. 89, IN2017-18, pp.61-66, June 2017.

SUMMARY OF INVENTION Problem to be Solved by the Invention

In the case of applying an anomaly detection method to each deviceindependently, when an anomaly occurs, not only the anomalous device butalso the observation information of the devices around the anomalousdevice may be affected and the anomaly may be detected on multipledevices, and in some cases, the anomalous device and observationinformation cannot be identified uniquely. Also, in the case of applyingan anomaly detection method to each device independently, there is arisk that if the outlierness or the like does not reach a threshold, thedetection of an anomaly fails and no alert is raised from the anomalousdevice.

Therefore, in the case of applying such an anomaly detection method, ifanomalies are detected in multiple devices, it is necessary to apply thetechnique of (2) to identify the anomaly location; however, on the otherhand, the technique of (2) assumes that an alert is raised from aspecific device where an anomaly occurred. Therefore, if anomalydetection fails and no alert is raised from the device where an anomalyoccurred, problems may arise such that the anomaly itself cannot bedetected; the estimation precision of the anomaly location decreases;the time required for identifying the anomaly location and cause becomeslonger; and the like. Also, as in Non-patent document 7, by calculatingan anomaly degree of the entire system and a contribution degree withrespect to the anomaly degree, it is possible to narrow down devicesthat output anomalous observation information; however, it is not alwayspossible to uniquely identify the device. The contribution degrees ofthe observation information issued by devices around an anomalous devicemay be high; therefore, it may be necessary to manually determine whichdevice is anomalous from among the multiple devices.

The present invention has been made in view of the above points, and hasan object to improve the precision and calculation speed related toidentification of an anomaly location.

Means for Solving the Problem

Thereupon, in order to solve the above problems, an anomaly locationidentification device includes a determination unit configured todetermine presence or absence of an anomaly by inputting part or all ofinformation items output from a plurality of devices into an anomalydetection algorithm; a calculation unit configured to calculate, inresponse to a determination made by the determination unit that ananomaly is present, with respect to one of the information items, anindex indicating a degree of contribution to the anomaly; and anidentification unit configured to perform calculation by an analysisalgorithm using a causal model receiving the index as input, to identifyan anomalous device.

Advantage of the Invention

It is possible to improve the precision and calculation speed related toidentification of an anomaly location.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a diagram illustrating an example of a hardware configurationof an anomaly location identification device 10 according to anembodiment of the present invention;

FIG. 2 is a diagram illustrating an example of a functionalconfiguration of the anomaly location identification device 10 accordingto the embodiment of the present invention; and

FIG. 3 is a flowchart for describing an example of processing stepsexecuted by the anomaly location identification device 10;

EMBODIMENTS OF THE INVENTION

In the following, embodiments of the present invention will be describedwith reference to the drawings. In the present embodiment, anomalydetection techniques are effectively linked with anomaly location/causeidentification techniques to improve the precision and calculation speedof anomaly location/cause identification.

By using an information group output from devices (hereafter, referredto as the “observation information group”) in a system includingmultiple devices to be observed, and applying the anomaly detectiontechniques to determine the presence or absence of an anomaly in theentire system, the presence or absence of an anomaly in the entiresystem is determined. If an anomaly is present in the system, for eachitem of information included in the observation information group(hereafter, referred to as the “observation information”), an indexindicating a degree of contribution to the detected anomaly (hereafter,referred to as the “contribution degree”) is calculated, and thecontribution degree is input into the anomaly location/causeidentification method. By inputting the contribution degrees into theanomaly location/cause identification technique, it is possible to solvethe problem that by using only the anomaly detection technique and thecontribution degrees, an anomalous device cannot be precisely identifiedin the case where the observation information having high contributiondegrees appears on multiple devices. Also, by inputting the contributiondegrees into the anomaly location/cause identification technique, theprecision degradation based on the missed alert due to failure ofanomaly detection by the anomaly location/cause identification techniquethat handles only the alert, is solved. As a method of inputting thecontribution degrees into the anomaly location/cause identificationtechnique, there are methods such that a certain threshold is set, andif the contribution degree is greater than or equal to the threshold, 1is set, otherwise, 0 is set as a binary value; or the contributiondegree is input as it is.

Changes in traffic and resources that are not alerted due to failure ofanomaly detection also appear in the contribution degrees. Also, for ananomaly that propagates in a system, the contribution degree of theobservation information of a device closer to the anomaly location/causetakes a higher value. Therefore, by inputting the contribution degreesto the anomaly location/cause identification method, it is possible toimprove the precision and calculation speed as compared with theconventional method using an alert as input. Further, by applying theanomaly location/cause identification technique only to devices around adevice that outputs the observation information with a high contributiondegree, the calculation range for the anomaly location/causeidentification technique can be limited to a part of, not the entiretyof, a system; therefore, it is possible to speed up the anomalylocation/cause identification method. As such, the effective linkagebetween anomaly detection and anomaly location/cause identificationimproves the precision and calculation speed of anomaly location/causeidentification.

Next, an anomaly location identification device 10 that executes theabove processing will be described specifically. FIG. 1 is a diagramillustrating an example of a hardware configuration of an anomalylocation identification device 10 according to an embodiment of thepresent invention. The anomaly location identification device 10 in FIG.1 includes a drive device 100, an auxiliary storage device 102, a memorydevice 103, a CPU 104, an interface device 105, a display device 106,and an input device 107, which are connected with each other via a busB.

A program that implements processing on the anomaly locationidentification device 10 is provided by a recording medium 101 such as aCD-ROM. When the recording medium 101 storing the program is set intothe drive device 100, the program is installed in the auxiliary storagedevice 102 from the recording medium 101 through the drive device 100.However, installation of the program does not necessarily need to bedone from the recording medium 101; the program may be downloaded fromanother computer via a network. The auxiliary storage device 102 storesthe installed program and stores necessary files, data, and the like.

The memory device 103 reads out the program from the auxiliary storagedevice 102 and stores the program when an activation command of theprogram is received. The CPU 104 implements functions relating to theanomaly location identification device 10 according to the programstored in the memory device 103. The interface device 105 is used as aninterface for connecting to a network. The display device 106 displays aGUI (Graphical User Interface) or the like based on a program. The inputdevice 107 is constituted with a keyboard, a mouse, and the like, and isused for inputting various operational commands.

Note that the anomaly location identification device 10 may not have thedisplay device 106 and the input device 107. In this case, a terminal orthe like that can be connected to the anomaly location identificationdevice 10 via a network may function as the display device 106 and theinput device 107. Also, the anomaly location identification device 10may be constituted with multiple computers.

FIG. 2 is a diagram illustrating an example of a functionalconfiguration of the anomaly location identification device 10 accordingto the embodiment of the present invention. In FIG. 2, the anomalylocation identification device 10 includes an observation informationcollection unit 11, an anomaly detection unit 12, a contribution-degreecalculation unit 13, a contribution-degree selection unit 14, an anomalylocation identification unit 15, and an output unit 16. Each of theseunits is implemented by a process that one or more programs installed inthe anomaly location identification device 10 cause the CPU 104 toexecute.

The observation information collection unit 11 regularly collects anobservation information group from devices (e.g., a communication devicesuch as a router) constituting the communication system 1. Note thateach device outputs one or more types of observation information (e.g.,traffic volume, resource information, syslog, and the like). The typesand number of observation information items output by the respectivedevices may be the same or may be different. For example, if the devicesare of the same type and the same model, the types and number ofobservation information items output from the devices are the same; orif the types or models of devices are different, the types and number ofobservation information items output from the devices may be different.For example, if there are five devices and each device outputs fiveitems of observation information, 5×5=25 items of observationinformation are collected at one collection time.

The anomaly detection unit 12 inputs part or all of an observationinformation group collected by the observation information collectionunit 11, into each of multiple known anomaly detection algorithms (e.g.,Non-patent document 7), to determine the presence or absence of ananomaly in the communication system 1. For example, each of the anomalydetection algorithms calculates an anomaly degree based on theobservation information and compares the anomaly degree with athreshold, to determine the presence or absence of an anomaly. Note thatthe types and number of observation information items input into therespective anomaly detection algorithm may be different. Also, themethod of determining the presence or absence of an anomaly by eachanomaly detection algorithm depends on its anomaly detection algorithm.

In the case where an anomaly has been detected by one or more anomalydetection algorithms (an anomaly has been determined to be present), thecontribution-degree calculation unit 13 calculates the contributiondegree to the anomaly for each observation information item input intothe detection algorithms that have detected the anomaly, among theobservation information group collected by the observation informationcollection unit 11. In the case where multiple anomaly detectionalgorithms detect an anomaly, the contribution degree is calculated byeach of the multiple anomaly detection algorithms with respect to theobservation information input into the anomaly detection algorithm. Thisis because the value of a contribution degree is affected by a functionused in an anomaly detection algorithm. Therefore, assuming that theobservation information included in the observation information groupconsists of 25 items, and in the case where an anomaly is detected bytwo types of detection algorithms, where one is an anomaly detectionalgorithm A receiving 15 items of observation information as inputs, andthe other is an anomaly detection algorithm B receiving 20 items ofobservation information as inputs, 15 contribution degrees arecalculated with the anomaly detection algorithm A, and 20 contributiondegrees are calculated with the anomaly detection algorithm B. Thecalculation of contribution degrees may be performed using a methoddescribed in Non-patent document 7.

The contribution-degree selection unit 14 selects contribution degreesas an input into the anomaly location/cause identification method. Forexample, in the case where an anomaly is detected by the two types ofanomaly detection algorithms as described above, the contribution-degreeselection unit 14 determines whether to input the contribution degreescalculated with one of the anomaly detection algorithms, or to inputparts of the contribution degrees calculated with the respective anomalydetection algorithms that have detected the anomaly, into the anomalylocation/cause identification method.

Based on an analysis algorithm (Non-patent documents 1-4) using a causalmodel receiving as an input contribution degrees selected by thecontribution-degree selection unit 14, the anomaly locationidentification unit 15 identifies (estimates) an anomaly location (ananomalous device or a device having a cause of the detected anomaly).

The output unit 16 outputs information representing the anomaly location(anomalous device) identified by the anomaly location identificationunit 15. For example, the information may be displayed on the displaydevice 106, or the information may be output by another output method.

In the following, processing steps executed by the anomaly locationidentification device 10 will be described. FIG. 3 is a flowchart fordescribing an example of processing steps executed by the anomalylocation identification device 10.

At Step S101, the observation information collection unit 11 waits forthe arrival of a collection time of an observation information group,which arrives at regular intervals. Once the collection time has arrived(YES at S101), the observation information collection unit 11 collectsan observation information group output during the latest regularinterval from the devices included in the communication system 1 (S102).

Next, the anomaly detection unit 12 inputs into each of the multipletypes of anomaly detection algorithms, one or more observationinformation items required by the anomaly detection algorithm from amongitems in the observation information group, to perform calculation bythe multiple types of anomaly detection algorithms, so as to determinethe presence or absence of an anomaly (presence or absence of a detectedanomaly) by each of the anomaly detection algorithms (S103). If ananomaly is detected by none of the used anomaly detection algorithms (NOat S104), the process returns to Step S101.

On the other hand, if it is determined that an anomaly is present by atleast one type of anomaly detection algorithm (anomaly has beendetected) (YES at S104), the contribution-degree calculation unit 13calculates, by each of the anomaly detection algorithms that havedetected the anomaly, a contribution degree group for the observationinformation items input into the anomaly detection algorithm (S105). Thecontribution degree group means one or more contribution degrees. Notethat observation information items input into the respective anomalydetection algorithms may be different from algorithm to algorithm, and afunction used by an anomaly detection algorithm affects the calculationof a contribution degree; therefore, the numbers and values ofcontribution degrees calculated by the respective anomaly detectionalgorithms may be different from each other.

Next, the contribution-degree selection unit 14 selects a part or partsof the contribution degree groups from among the contribution degreegroups calculated by the contribution-degree calculation unit 13 as acontribution degree group to be input into the anomaly locationidentification unit 15 (S106). In other words, the contribution-degreeselection unit 14 determines whether to input the contribution degreescalculated with one of the anomaly detection algorithms, or to inputparts of the contribution degrees calculated with the respective anomalydetection algorithms that have detected the anomaly, into the anomalylocation identification unit 15.

For example, the selection of a contribution degree group can beimplemented by a method in which, for each anomaly detection algorithm,the sum of the top 10 absolute values is calculated from among valueseach obtained by dividing each contribution degree calculated with theanomaly detection algorithm, by the total value of contribution degreeswith the anomaly detection algorithm, and a contribution degree groupwhose top 10 have a high proportion in the total sum of the absolutevalues is used. Specifically, for example, assume that 30 contributiondegrees A are calculated with an anomaly detection algorithm A, 30contribution degrees B are calculated with an anomaly detectionalgorithm B, and 30 contribution degrees C. are calculated with ananomaly detection algorithm C (i.e., a total of 90 contribution degreesare calculated). In this case, the contribution-degree selection unit 14divides each contribution degree of A by the total value of allcontribution degrees of A, and sets it as A′ (30 A's are calculated).Also, the contribution-degree selection unit 14 divides eachcontribution degree of B by the total value of all contribution degreesof B, and sets it as B′ (30 B's are calculated). Furthermore, thecontribution-degree selection unit 14 divides each contribution degreeof C by the total value of all contribution degrees of C, and sets it asC′ (30 C's are calculated). Next, the contribution-degree selection unit14 calculates, with respect to A′, the proportion of the top 10 valuesof A′ in the entire A′ (total value of 30 A's), and calculates the samewith respect to B′ and C′. From among A′, B′, and C′, thecontribution-degree selection unit 14 identifies a set in which the top10 values occupy the largest proportion (e.g., the set of A′), andselects a contribution degree group corresponding to the top 10 in theidentified set, as the contribution degree group to be input into theanomaly location identification unit 15. Alternatively, the selectionmay be performed such that contribution degree groups corresponding tothe top 10's in the above 30 A's, 30 B's, and 30 C's, respectively, areselected as a contribution degree group to be input into the anomalylocation identification unit 15. In this way, by using various anomalydetection methods, it becomes possible to handle various types ofanomalies.

Next, the anomaly location identification unit 15 selects a range withinwhich an anomaly location/cause identification technique (i.e., a rangefor constructing a causal model) is applied, based on the contributiondegree group selected by the contribution-degree selection unit 14(S107). For example, among the contribution degrees included in thecontribution degree group, a device that is an output source ofobservation information related to a contribution degree greater than orequal to the threshold, and its neighboring devices may be selected asthe devices that specify the range. A neighboring device of a certaindevice refers to a device having the number of hops being one (directlyconnected to the certain device).

Next, the anomaly location identification unit 15 generates a causalmodel as a directed Markov model in which a state layer of devicesX=x_(i) (i=1, . . . , N) is connected with a state layer of theobservation information Y=y_(j) (j=1, . . . , M) (S108). This causalmodel is a causal model constructed by analyzing a causal relationshipbetween observation information and a device configuration (connectionrelationship between devices). Here, N is the number of devices selectedat Step S107. M is the number of observation information items inputinto an anomaly detection algorithm corresponding to the contributiondegree group selected by the contribution-degree selection unit 14 fromamong the observation information items output by the devices selectedat Step S107. Also, y_(j) is a value based on a contribution degree ofthe j-th observation information item. As described above, the value maybe a contribution degree itself, or may be a binary value (1 or 0) basedon a comparison result between the contribution degree and thethreshold.

Next, the anomaly location identification unit 15 performs calculationby an analysis algorithm (Non-patent documents 1 to 4) using the causalmodel generated at Step S108 (e.g., a directed Markov model), toidentify (estimate) an anomaly location (an anomalous device) (S109).Note that in the case of using one of the analysis algorithms ofNon-patent documents 1 to 4, although the configuration information ofthe communication system is required, the configuration informationsimply needs to be stored in the auxiliary storage device 102 or thelike in advance. Also, in the case of the analysis algorithm ofNon-patent document 3, although information on past cases of anomalyoccurrences is required, the information simply needs to be stored inthe auxiliary storage device 102 or the like in advance.

Next, the output unit 16 outputs information representing an anomalousdevice identified (estimated) by the anomaly location identificationunit 15 (e.g., identification information of the anomalous device)(S110).

Note that although an example has been described above in which multipletypes of anomaly detection algorithms are used, only one type of anomalydetection algorithm may be used. In this case, Step S106 does not needto be performed.

Also, the present embodiment may be applied to a system other than acommunication system that includes multiple devices (or a device).

As described above, according to the present embodiment, by using thecontribution degree, it is possible to uniformly input calculationresults of various anomaly detection methods (anomaly detectionalgorithms) into an anomaly location/cause identification method, and toexecute from anomaly detection to location identification as a series ofoperations. As a result, it is possible to improve the precision andcalculation speed related to identification of an anomaly location.

Note that in the present embodiment, the anomaly detection unit 12 is anexample of a determination unit. The contribution-degree calculationunit 13 is an example of a calculation unit. The anomaly locationidentification unit 15 is an example of an identification unit. Thecontribution-degree selection unit 14 is an example of a selection unit.

As above, the embodiments of the present invention have been describedin detail; note that the present invention is not limited to suchspecific embodiments, and various modifications and changes may be madewithin the scope of the subject matters of the present inventiondescribed in the claims.

The present application claims the priority of Japanese PatentApplication No. 2018-003117 filed on Jan. 12, 2018, the entire contentsof which are incorporated herein by reference.

LIST OF REFERENCE SYMBOLS

-   1 communication system-   10 anomaly location identification device-   11 observation information collection unit-   12 anomaly detection unit-   13 contribution-degree calculation unit-   14 contribution-degree selection unit-   15 anomaly location identification unit-   16 output unit-   100 drive device-   101 recording medium-   102 auxiliary storage device-   103 memory device-   104 CPU-   105 interface device-   106 display device-   107 input device-   B bus

The invention claimed is:
 1. An anomaly location identification device,comprising: processing circuitry configured to collect information itemsfrom a plurality of devices via a network at regular intervals; make adetermination of a presence or absence of an anomaly by inputting partor all of the information items collected from the plurality of devicesinto an anomaly detection algorithm; calculate, in response to thedetermination being that an anomaly is present, with respect to one ofthe information items, an index indicating a degree of contribution tothe anomaly; and perform calculation by an analysis algorithm using acausal model receiving the index as input, to identify an anomalousdevice, wherein the processing circuitry is further configured to inputthe part or all of the information items into a plurality of anomalydetection algorithms, to determine the presence or absence of theanomaly by each of the plurality of anomaly detection algorithms,calculate, in response to a determination of the presence of the anomalymade by one of the anomaly detection algorithms, by said each of theanomaly detection algorithms, indices each indicating a degree ofcontribution to the anomaly, for the information items input into saideach of the anomaly detection algorithms, and select part of the indicesfrom among the indices calculated for the information items input intothe anomaly detection algorithms, and perform calculation by theanalysis algorithm using the causal model receiving as input theselected indices, the indices being calculated in relation to theanomaly detection algorithm.
 2. The anomaly location identificationdevice as claimed in claim 1, wherein the processing circuitry selects arange for constructing the causal model based on the index.
 3. Theanomaly location identification device as claimed in claim 2, whereinthe processing circuitry selects a device that specifies the range fromthe plurality of devices based on the index.
 4. An anomaly locationidentification method executed by a computer, the method comprising:collecting information items from a plurality of devices via a networkat regular intervals; make a determination of a presence or absence ofan anomaly by inputting part or all of the information items collectedfrom the plurality of devices into an anomaly detection algorithm;calculating, in response to the determination being that an anomaly ispresent, with respect to one of the information items, an indexindicating a degree of contribution to the anomaly; and performingcalculation by an analysis algorithm using a causal model receiving theindex as input, to identify an anomalous device, wherein the methodfurther includes input the part or all of the information items into aplurality of anomaly detection algorithms, to determine the presence orabsence of the anomaly by each of the plurality of anomaly detectionalgorithms, calculating, in response to a determination of the presenceof the anomaly made by one of the anomaly detection algorithms, by saideach of the anomaly detection algorithms, indices each indicating adegree of contribution to the anomaly, for the information items inputinto said each of the anomaly detection algorithms, and selecting partof the indices from among the indices calculated for the informationitems input into the anomaly detection algorithms, and performingcalculation by the analysis algorithm using the causal model receivingas input the selected indices, the indices being calculated in relationto the anomaly detection algorithm.
 5. A non-transitorycomputer-readable recording medium having a program stored thereon forcausing a computer to execute the anomaly location identification methodas claimed in claim
 4. 6. The anomaly location identification device asclaimed in claim 1, wherein the processing circuitry selects a range forconstructing the causal model based on the indices.
 7. The anomalylocation identification device as claimed in claim 3, wherein theprocessing circuitry selects a device that specifies the range from theplurality of devices based on the indices.